New name but same great reasons to love bug bounty

February 25, 2019

By Chris Nims, CISO and Paranoid in Chief

Last year was a transformational year for our bug bounty program and 2019 is shaping up to be even better. It's now named Verizon Media to more closely align with the power and resources of Verizon, but the same great program remains. Whether you're a security researcher looking for new programs or an everyday user interested in understanding how we're working to improve the safety and security of our platforms, here are 11 things you should know about Verizon Media's bug bounty program:

Our policy now includes Safe Harbor protections. Verizon Media will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with the program policy.

More than 3,000 outside security researchers from around the world have participated in our bug bounty program since its founding.

In 2018 alone, we received and resolved more than 1,900 valid vulnerability reports from researchers through our program.

We paid nearly $5 million in bounties last year, nearly five times the bounties paid in 2017.

In April 2018, we brought 40 of the world's best white hat hackers to an undisclosed location in San Francisco for an event, known as H1-415, to hack our portfolio of brands including Tumblr, Yahoo, Verizon Digital Media Services and AOL. Nine hours of hacking ultimately resulted in $850,000 in bounties.

Our highest payout in 2018 for a single bounty was $30,000.

We prioritize feedback from our security researchers and in June 2018 we updated our program policy to include a public payout table and committed to shorter turnaround times for report response.

More of our brands are publicly available for bug hunting than ever before. Check out the latest publicly available brands at our program page and look out for more brands to become public in 2019.

We've expanded our list of vulnerabilities that qualify for bounties. Today there are 36 categories of vulnerabilities based on CVSS severity and internally-determined impact for which we pay bounty.

H1-415 in San Francisco wasn't our only live hacking event. Throughout 2018, we hosted live hacking events in cities all over the world, including Goa, Buenos Aires and New York City. Look out for more in 2019 and with new live hacking formats.

In a bug bounty first, our New York City live hacking event was a multi-day, team hacking competition. This "World Cup" of hacking netted 159 resolved vulnerabilities across Yahoo products and over $400,000 in payouts.

We're committed to the health and success of this program as it continues to help keep our platforms secure and engender positive engagement with the security community. As always, we invite you to join the effort by visiting our bug bounty platform partner hackerone.com/verizonmedia.